I have put this in other firewalls because I think it is a firewall related topic but if anyone feels different please feel free to move to wherever you feel is more suitable

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019118&source=rss_news10

Some if us have been discussing this for over 1 year now so Symantec might be a bit slow with it coming out
see an article by GKweb warning of the problems http://www.firewallleaktester.com/news.htm scroll down to June 10th 2006

In MY view It is a potentially a very serious risk

In the typical hypothetical situation

Joe Public clicks on the link to download the "dancing pigs" screen saver

Along with the screensaver comes a taskjob for BITS

No AV alert as it is an innocent task job. No firewall alert as the download is via bits which is automatically allowed in EVERY firewall by default

The first thing downloaded is a rootkit component over a period of time so no warnings with flashing TV's in sys tray or sudden slow downs due to downloading large files and continues to install lots of malware

Once the rootkit installs say latest PE386 ( Rustock C) for example that hides from just about every antivirus known & hides all the malware files it downloads so AV can't see them or scan them

Boom

One infected computer that is 0wned by the rootkit/malware

And it is not an unknown scenario and could explain a lot of the current stealth installs of malware where the victims have what we would normally describe as adequate or good protection, for example KAV & a recognised firewall

I might be over exaggerating the potential for this one to be a potent avenue for infection but as we close off as many other infection vectors as we can tehn new ones are always found

I disabled Windows Update (WUP) from the very beginning, and instead use Microsoft Baseline Security Analyzer (http://www.microsoft.com/technet/sec.../mbsahome.mspx) (MBSA). I also have BITS (Background Intelligent Transfer Service) disabled.

Dancing pigs => http://en.wikipedia.org/wiki/Dancing_pigs
-{ Quote: "In computer security, dancing pigs or the dancing pigs problem refers to a statement on user attitudes to computer security: that users primarily desire features without considering security, and so security must be designed in without the computer having to ask a technically ignorant user. The term has its origin in a remark by Edward Felten and Gary McGraw: "Given a choice between dancing pigs and security, users will pick dancing pigs every time."" }-
Mike

P.S. Here is how I used MBSA http://www.wilderssecurity.com/showthread.php?t=171521

-{ Quote: "I have put this in other firewalls because I think it is a firewall related topic " }-Although this is not classed as a firewall vulnerability, there have been posts before on this forum concerning this.

-{ Quote: "Some if us have been discussing this for over 1 year now so Symantec might be a bit slow with it coming out " }-There are posts on forum from "june" last year concerning "BITS", as the protection/interception of comms for this where (at that time) to be added to comodo
forum thread (http://www.wilderssecurity.com/showthread.php?p=773474#post773474)

Thanks Stem

I am not sure what we would actually class this as

it is definitely a vulnerabilty where the majority of firewalls do not alert about bits connecting because they are designed not to

Now we are seeing the start of malware using bits service in the wild with no alerts warning about connections, I don't know how we get around it

Microsoft see to be encoraging the use of bits for upldating applications so a total block on svchost.exe to non Microsoft sites isn't a suitable answer so it's all open to debate

-{ Quote: "I am not sure what we would actually class this as" }-Personally, I class this as "Well, a good idea at the time",... but as with a number of windows internal comms, they can be used by malware.

-{ Quote: "it is definitely a vulnerabilty where the majority of firewalls do not alert about bits connecting because they are designed not to " }-As we know, it is svchost that actually performs the downloads according to "Jobs" from "BITS", and as most user allow svchost outbound due to windows updates etc then a basic firewall will allow this due to user rules allowing svchost outbound. Even if the user as a firewall/hips that will intercept these internal comms, most will allow as they will not know what it is.

-{ Quote: "Now we are seeing the start of malware using bits service in the wild with no alerts warning about connections, I don't know how we get around it

Microsoft see to be encoraging the use of bits for upldating applications so a total block on svchost.exe to non Microsoft sites isn't a suitable answer so it's all open to debate" }-This is the main problem. Most users will auto update windows, but even if for example, a user disables svchost from making outbound (before/after an update), then any "jobs" will be performed in that time it is allowed, so harm can be done.

It is certainly a bad situation, but I could see it coming. Personally, my setup does not allow any direct internet access to svchost, and I manually apply any windows updates, but, this is certainly not what all users will/want, or can do.

I allow automatic updates for Windows, but I have the BITS service set to run as manual; when updates start I will see the icon in my tray and RD gives a pop-up to facilitate the change of state from 'stopped' to 'started'. SSM also gives an alert on this change of service status. So I have the chance to deny BITS from running if it should ever try to start at any other time.

-{ Quote: "I allow automatic updates for Windows, but I have the BITS service set to run as manual; when updates start I will see the icon in my tray and RD gives a pop-up to facilitate the change of state from 'stopped' to 'started'. SSM also gives an alert on this change of service status. So I have the chance to deny BITS from running if it should ever try to start at any other time." }-

That seems a fair way to do it

what rule do you use in RD to do that

The only downside I see is that is that I along with many others do turn off RD when doing windows updates otherwise I would soon wear out my click yes button

Also that doesn't eliminate the risk totally because as soon as BITS is enabled for windows update & you have authorised RD to allow it. Then it can still connect to anything else without you knowing at the same time

I don't see here any problem.
The program attempts to create outbound connection or accept inbound connection. Trojans and other malicious programs scripts can force trusted applications to establish unauthorized connections with suspicious peers.
How to prevent this?
GKweb explain this very clearly, yuo must create svchost network rules with your firewall.
Firewall needs in a user attention to make a final decision on the running process.
Draw your attention on addresses.
Permit svchost outbound connection only to trusted microsoft update IP/port.
How you can find all microsoft update IP from your zone? easily if you use good firewall. For example, Jetico make this for you very easy.
Problem solved.

hiro

some firewalls do not block BITS activity

check david matousec's firewall tests:

http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings

the "BITStester" leaktest actually does what the OP suggested a trojan/backdoor could do.

You can try out BITStester leaktest for yourself:

http://www.matousec.com/projects/windows-personal-firewall-analysis/introduction-firewall-leak-testing.php

To the OP, comodo and some other firewalls actually detect this activity

tamdam

BITStester leaktest is only test.
Every firewall, coming with a rule for svchost which allows ports 80 and 443 to every IP, can be bypassed!

Read carefully gkweb explanation:
http://www.firewallleaktester.com/news.htm
Create svchost network rules with your firewall!
Draw your attention on microsoft update IP addresses!

Then run BITStester leaktest to test your firealls/svchost rule.
Yuo can pass it with every firewalls!

well the scenario outlined by the OP was a malware program adding a job to BITS. When it adds the job some firewalls like comodo will actually ask you if you want to allow the malware internet access through a trusted service. In this sense you are right, it is not really a firewall's job to do this. However some firewalls like comodo have HIPS-like abilities, this is one of them.

-{ Quote: "That seems a fair way to do it

what rule do you use in RD to do that

The only downside I see is that is that I along with many others do turn off RD when doing windows updates otherwise I would soon wear out my click yes button

Also that doesn't eliminate the risk totally because as soon as BITS is enabled for windows update & you have authorised RD to allow it. Then it can still connect to anything else without you knowing at the same time" }-
When an Automatic Windows update is about to happen I have the yellow icon in my sys tray and I get a pop-up from RD that Services.exe wishes to set the following Value:-

HKEY_LOCAL_MACHINE\System\Controlset002\Services\Bits || start

That is to change BITS from a stopped state to a started state. If I allow it, BITS will start and updates proceed. Of course I turn off RD at this point, to prevent interference, but BITS will be stopped from running automatically afterwards.

The point being that if BITS ever wanted to start at an inappropriate moment (ie when I was not doing a Windows update) I could prevent it from doing so.

I'm using RD to protect the following Keys:-

HKEY_LOCAL_MACHINE\System\*controlset*\Services**

Creating highly restrictive rules for svchost in the firewall, as others have mentioned, seems to be the most effective solution. However, not too many people know how to accomplish this - nor want to be bothered learning how. Further to this, there is no point trying to educate those who are hell bent on installing, spyware-infested popcap and zango games and cute browser toolbars.

tamdam, TopperID, and all

Many firewall/HIPS pass this leaktest and many others.
But only in leaktest environment, not in real circumstances.

When you work with leaktest your first worry is (when firewall/hips ask) to block all. You have block all, all right, your have pass the leaktest.

In real environment is different, how? typical explanation/failure you can see in TopperID post above.Automatic Windows update is about to happen ==> run BITS ==> svchost.exe, all legit win application-services (is not suspicious "pigs.exe", or question, is today time to update, or not), and what make 99.9% of user? ALLOW! yuor svchost have permission to access to network to every IP ports 80 and 443, and what succeed, The End!

You can forget on this only with restricted svchost access to network, svchost access only to trusted IP/port and block others-rule, without any questions!

-{ Quote: "You can forget on this only with restricted svchost access to network, svchost access only to trusted IP/port and block others-rule, without any questions!" }-Hi hiro,
Yes, I understand and agree that placing restrictions on svchost can give the user this control. But as mentioned, there are not many users who want, or know how to set such rules.
If we look at Jetico, most users are put off using this firewall due to the many popups and confusion on rules creation, yes, there is a list of server IP`s shown at the leaktest website, but this may be incorrect for a users location, other mirror sites used by microsoft may use many other IP`s (which could be hundreds or more), and would just put the user off keep adding rules. You will also note, most users try to stay with an application firewall as they do not want to set rules)

I know, that some users can do this, they can set rules as updates are made, check these IP`s via whois, then edit rules for IP ranges, to some this is simple, to a lot of others this would be a complete nightmare, and they look for alternatives, such as firewalls that will intercept these possible leaks for them

-{ Quote: "In real environment is different, how? typical explanation/failure you can see in TopperID post above.Automatic Windows update is about to happen ==> run BITS ==> svchost.exe, all legit win application-services (is not suspicious "pigs.exe", or question, is today time to update, or not), and what make 99.9% of user? ALLOW! yuor svchost have permission to access to network to every IP ports 80 and 443, and what succeed, The End! " }-
So I'm going to load up with dancing pigs at the very moment the Windows update icon is in my sys tray and I'm about to start updating?

I don't think so!

If the dancing pigs had been loaded at an earlier time, then so to would the attempt to start BITS, which would alert me to a problem.

Topper, what you are not seeing is the way BITS is designed to work

it is intended to allow background updates and automatic WU is ONE application that is designed to use it

ANY application can be set to use it and that is the worry so if you disable BITS service except when using WU then any other program set to use it will also start its download at the moment that WU is allowed to WITH NO WARNING from firewall so you don't have to load dancing pigs it will detect the connection & enable itself

Hi,Topper
Please try this.
Set bits-services to manual.
Then open "Run..", type in "net start bits" without quote.
Do you have alert from SSM?

-{ Quote: "Please try this.
Set bits-services to manual.
Then open "Run..", type in "net start bits" without quote.
Do you have alert from SSM?" }-Result:

189780

This is child process, not internal comms. I would prefer for such, that SSM put through the services firewall (it was mentioned/todo list a long time ago)

That's interesting - I actually get several alerts from SSM, including ones that net.exe and net1.exe wish to run, BUT in this situation, when I click to allow, I do not get a pop-up from RD indicating a change of status for BITS; BITS simply runs (confirmed by SSM Module Alert) without RD noticing anything. I haven't quite got that figured. ???
-{ Quote: "ANY application can be set to use it and that is the worry so if you disable BITS service except when using WU then any other program set to use it will also start its download at the moment that WU is allowed to WITH NO WARNING from firewall so you don't have to load dancing pigs it will detect the connection & enable itself" }-
So you mean that the application wishing to use BITS does not attempt to start the service itself but simply waits for BITS to run at a later date?

That could be a long wait, surely scans will pick something up in the interval?

In any case, with execution protection anything downloaded on the system should not be able to run, should things get that far.

-{ Quote: "I disabled Windows Update (WUP) from the very beginning <snip> I also have BITS (Background Intelligent Transfer Service) disabled." }-
Per http://www.firewallleaktester.com/news.htm (my bolding)-{ Quote: "Finally, disabling all together the automatic update service and BITS service is not a solution. Indeed, a malware could start them back before using them. I do not advise at all to disable Automatic Windows Updates, but if you go that way, do not forget to also block svchost.exe or services.exe in your firewall (if you are using DHCP, create a rule to allow local port 68 to communicate in UDP to the remote port 67, IP 255.255.255.255)." }-
-{ Quote: "In MY view It is a potentially a very serious risk" }-What an understatement! :o

Mike

-{ Quote: "Originally Posted by TopperID
That's interesting - I actually get several alerts from SSM, including ones that net.exe and net1.exe wish to run, BUT in this situation, when I click to allow, I do not get a pop-up from RD indicating a change of status for BITS; BITS simply runs (confirmed by SSM Module Alert) without RD noticing anything. I haven't quite got that figured." }-

Have seen, with the simple innocent command we have an a little upset the absolute trust in safety software, way positive, more doubt that you have, surer you are!

-{ Quote: " I actually get several alerts from SSM, including ones that net.exe and net1.exe wish to run, " }-

So we see it's no big deal using SSM or a similar HIPS to stop this kind of action if it were not a known, anticipated and expected test and one we actually want to launch.

Perhaps not quite so simple, because these alerts are for programs seeking to launch. Supposing the prog attempting to utilize BITS is already running?

The example postulated involves (if I understand it correctly) downloading something that secretly places a task in the Task Sheduler folder and this will run with Windows. So the task will run whenever scheduled (eg every hour) and presumably makes use of BITS, if it is running, to D/L a rootkit.

Mind you I'm not clear how the rootkit will install and do damage if you are running suitable HIPS progs.

-{ Quote: "Perhaps not quite so simple, because these alerts are for programs seeking to launch. Supposing the prog attempting to utilize BITS is already running? " }-

That is a good point Topper, but does that not still take us back to the original stipulation that the already running program had to be authorized by the HIPS in the first place? It is possible to slip up and allow it, but I'm pretty content knowing that as long as I have very tight firewall rules, call home or download attempts by the malware should be practically eliminated. Private data leakage concerns me far more than my data getting destroyed by malware. Backups and images will easily resolve the latter issue.

Hi wat0114, Hi TopperID

HIPS/firewall do his/her job OK, the decision of user always stays what to accept what no. And here that the problem.
Returns on first post of dvk01.

Hypothetical scenario:
"Joe Public clicks on the link to download the "dancing pigs" screen saver
Along with the screensaver comes a taskjob for BITS
No AV alert as it is an innocent task job." (Joe fist think, already 90% safe)

Joe run "dancing pigs" screen saver installation.
All HIPS, alert is for legit Windows application with event like:
"This likely be a normal activity" (Joe second think, 100% safe)
Joe don't know what is net.exe,net1.exe,bits,ect.. just think is all normal running process by screen saver installation. Joe must allow all if will have new screen saver (virus free) right?
Boom! "pigs dance" it begins.
After this your system get download or most more important for your privacy, upload to unknow server.
In this case download/upload perform svchost.exe, and if your firewall is configured to allow svchost to any IP/port 80/443, you don't have alert any more.

-{ Quote: "
In this case download/upload perform svchost.exe, and if your firewall is configured to allow svchost to any IP/port 80/443, you don't have alert any more." }-

The scenario you describe is actually quite typical and that is why in this last bit with svchost it is so important to impose tight restrictions in firewall rules. Just look at my ss where MS wants svchost to "phone home" with, no doubt, my private info. Naturally I have it permanently blocked. Outpost also warns me whenever the connection attempt is made. I get several warnings a day. One more thing: where does Joe get the dancing pigs screensaver from? This is of utmost consideration also. If he reads the site's privacy policy and with a little more research confirms it to be a "on the level" site, then he probably gets himself a harmless screensaver, otherwise it's his own tough luck that he is so careless in where he gets his gimmicky freebies from.

-{ Quote: "That is a good point Topper, but does that not still take us back to the original stipulation that the already running program had to be authorized by the HIPS in the first place? " }-
No! There are some programs that run with Windows, ie they start when Windows starts, so you never get alerted on them; the Task Scheduler is one such program (though if the task involved running another app you would be alerted on that, but not if it is just making use of BITS).

But what of other legitimate progs that are given the right to run without need of a prompt, such as Services.exe, if it is exploited it could perform apparently 'normal' functions without causing intervention from a behaviour blocker etc.
-{ Quote: "If he reads the site's privacy policy and with a little more research confirms it to be a "on the level" site, then he probably gets himself a harmless screensaver, otherwise it's his own tough luck that he is so careless in where he gets his gimmicky freebies from." }-
Yes, it seems to me that you have to do something foolish in the first place to get in this predicament. But it is the one big weakness of HIPS progs that if the user allows a prog to run during a D/L and install, then it will circumvent the execution protection of HIPS.

-{ Quote: "Originally Posted by wat0114
One more thing: where does Joe get the dancing pigs screensaver from? This is of utmost consideration also. If he reads the site's privacy policy and with a little more research confirms it to be a "on the level" site, then he probably gets himself a harmless screensaver, otherwise it's his own tough luck that he is so careless in where he gets his gimmicky freebies from." }-

Why are you so angry, has it with Joe or with me?
wat, Joe and dancing pigs screensaver is only an example invented by dvk01 to cheer up discussion, it is a hypothetical scenario. I don'tknow if it exists, you know it?
I instead wanted to help to understand the problem , then each does it as he wants.

-{ Quote: "Why are you so angry, has it with Joe or with me?
wat, Joe and dancing pigs screensaver is only an example invented by dvk01 to cheer up discussion, it is a hypothetical scenario. I don'tknow if it exists, you know it?
I instead wanted to help to understand the problem , then each does it as he wants." }-

No anger here at all :) I just posed the question and I realize your example is only hypothetical, and it is a very good one at that. In reality Joe, or whoever it is, has a choice. Either he downloads it or he doesn't, and he can freely choose from where he downloads it. If he does not want to exercise common sense in the process, then he has already lost half the battle. That is all I am saying. It is the same with those who seek out pirated software and keygens from P2P sites and get themselves into trouble that way. They still have a choice and they can use common sense to guide themselves in the process.

Blocking svchost from network access seems the best bet since otherwise not only BITS but any other service can piggyback onto svchost to gain network access.

This then raises the question of how to do Windows updates: Download patches from the Microsoft Security Bulletins page (http://www.microsoft.com/technet/security/current.aspx) or use a third party tool like AutoPatcher; Temporarily allow svchost network access while running an update manually; Create a firewall rule allowing svchost access to "known" Windows update URLs only (since MS use Akamai for load balancing, doing this by IP address is impractical unless Hosts file entries are used to limit the URLs to specific IP addresses only).All these methods have strengths and downsides so the "best" choice will have to come down to user preference.

SSM can intercept attempts to start and stop services (though net.exe and net1.exe should have the "With these command line parameters" option enabled so that each service requires separate rules) but this won't cover the case where a service is already started by other software.

-{ Quote: "Download patches from the Microsoft Security Bulletins page (http://www.microsoft.com/technet/security/current.aspx) or use a third party tool like AutoPatcher" }-
Or use MBSA see "Microsoft Baseline Security Analyzer vs Windows Update (http://www.wilderssecurity.com/showthread.php?t=171521)"

Mike

-{ Quote: "SSM can intercept attempts to start and stop services" }-
SSM can intercept attempts to start .exe services, but BITS is a .dll based service (qmgr.dll) run by svchost.exe, so how can SSM intercept that?

SSM will give a module alert when BITS changes status to running, but I don't see how you can use this to prevent a .dll service from running.